Cyber security has become a far more serious and relevant topic for SAP system owners than ever before. While security has always been an important aspect of overseeing an SAP landscape, the remarkable growth in the number and types of worldwide threats has made security a board-level issue. Indeed, not mitigating cyber security vulnerabilities in SAP exposes companies to substantial risks in terms of financial losses, reputation damage and compliance.

Cyber Security Vulnerabilities Vs. Threats

One point that’s worth clarifying up front in any discussion of cybersecurity for SAP concerns the difference between a threat and a vulnerability. A threat is something that can cause harm to your IT assets. Malware attacks and Distributed Denial of Service (DDoS) attacks are threats. Cyber security vulnerabilities are the inverse—they’re weaknesses in your cyber defenses that leave you vulnerable to the impact of a threat.

The Remarkable Proliferation of Cyber Threats

Malicious actors have been incredibly productive, creating immense numbers of threats. There are literally hundreds of millions of new variants of malware created every year. In addition, we’re seeing extremely sophisticated attacks being mounted on private companies by nation state actors and cyber criminals with extensive resources.

Types of Cyber Threats

One unfortunate outcome of the current cyber security crisis is the revelation of humanity’s incredible inventiveness when it comes to these sorts of malicious acts. Attackers arm themselves with pretty much any kind of cyber threat you can imagine—and many that no one would have ever conceived of even a few years ago. The following are some of the most common types of cyber threats that can negatively affect your SAP landscape:

10 ways hackers take advantage of cyber security vulnerabilities

Crypting Services – the encryption of malware to obscure it and make it difficult to detect.

Crimeware – the buying and selling of malware on the “Dark Web,” a black market for cyber criminals. Crimeware is software designed to enable other people (typically those with minimal technical skills) to become cyber criminals.

Remote Administration Tools (RATs) – this type of malware, once activated, grants hackers control over the infected computer. The attacker can then proceed to steal data from the machine, render it inoperable, use the camera and so forth.

Ransomware – software that locks up your data and forces you to pay a ransom (usually in cryptocurrency) to release it back to you.

Exploit Kits – this works by targeting users who think they are visiting a trusted site, but then get redirected to a malicious site.

Leaked Data – data stolen from your machine can easily be sold on the Dark Web. Examples include credit card numbers, social security numbers, corporate login credentials and more.

Social Engineering – an approach to hacking that does not rely at all on technology. Rather, social engineering attackers exploit psychology to convince the target to trust them with confidential information, e.g. pretending to be the IT department and asking for a username and password. Spear phishing, where the attacker pretends to be a friend or colleague in a bogus email, is an another of a social engineering attack.

Card Skimmers – these devices are implanted in places like Point of Sale (POS) machines, bank teller machines and gas pumps to steal your identity and credit card account data.

Unpatched Systems – a great proportion of cyber security vulnerabilities can be resolved through the application of software patches. However, for reasons related to IT operations, and in some cases to aging software, a lot of systems may lack security patches. These outdated systems are vulnerable to attack.

Why Cyber Security Vulnerabilities are an Urgent Issue for SAP Owners

Cyber security has risen in importance, now commanding the attention of senior management and the board. No one wants to go through the embarrassment, brand damage or financial losses associated with a major data breach. Similarly, compliance risks related to security also put pressure on security managers to protect data assets like customers’ personally identifiable information.

It gets worse, though. The world is entering an era when attackers are trying to find ways to disrupt industries and critical infrastructure. Attacks on ERP and logistics systems may actually be the first step in penetrating industrial control systems (e.g. SCADA-based systems) causing chaos and even injury or death on the factory floor.

Getting to Effective Cyber Risk Mitigation

Effective cyber security requires people, not just technology. You can have the best tools in the world for intrusion detection network monitoring, but without people, they can’t do much. People have to assess threats and determine what’s real and what’s noise. People make decisions on how to respond to security incidents. They assess these cyber security vulnerabilities and choose which to make a priority for remediation.

Good security people are in short supply, though, even for big companies. SAP companies have started turning to an IT managed services model to cut costs and pool resources. With the right IT managed service provider, you can get the services of a SecOps team for less than the cost of a small in-house team. While no cyber security partner can keep you perfectly safe, the right partner can drastically cut the risks, and minimize the damage of a worst-case scenario by providing provide round-the-clock detection and response.

Symmetry provides a complete array of cyber security services. We’ll assess your security levels, identify vulnerabilities and work with you to fix them. We’ll also create a custom incident response plan to mitigate breaches and train employees in security best practices to further reduce risk. Together, we’ll help your organization quickly spot potential breaches or attempted breaches and neutralize them in real time.

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.